GoodNotes Privacy Policy

Privacy policy | Cookies

Last Updated: April 2023

GoodNotes Limited and its affiliates (the “Company”, “we”, “our” or “us”) are committed to protecting and respecting your privacy. We are a company with our registered office at 1 Bartholomew Lane, London, United Kingdom, EC2N 2AX. This privacy policy (or “Policy”) sets out the basis on which any data and information the Company collects from you will be processed by the Company during your use of the iOS App and the Beta for Windows, Android and our browser app (together, the ”app”) and/or any functions or features GoodNotes offer (including, for example, the GoodNotes Learn and the GoodNotes Cloud), and any other product or services that links to these Terms, as well as all functionality that GoodNotes makes available (collectively, the "Services").

  1. 1. What kind of data is being collected?

    We may collect and process “Personal Data” (which is defined as any data that identifies or can be used to identify you) about you when you visit the site, install, download, access, register for or use the app, use our Services, or contact us in relation to the Services. The nature of the Personal Data that we may collect, and process will be determined by how you are using our Services. For example, where you are accessing, registering or using the app, we will collect less Personal Data than when you sign up and create an account to use our Services. We will only use your Personal Data as set out below and always in accordance with applicable data protection laws. While we are not based in the European Economic Area ("EEA") we also comply with the European Union's General Data Protection Regulation 2016/679 (the “EU GDPR”) together with the version of the EU GDPR which is incorporated into the domestic law of the United Kingdom (the “UK GDPR”) (the EU GDPR and the UK GDPR are collectively referred to as the "GDPR").

    We do not collect, and please do not provide to us, special categories of Personal Data (as defined in the GDPR), which means Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade union membership, genetic and biometric data, or data concerning health, sex life or sexual orientation.

    NOTE: Our Services are not intended for use by HIPAA covered entities for the transmission of Protected Health Information, nor intended for the transmission of sensitive information such as payment card or financial information (except when making a purchase), so please do not share this information with us.
    1. Information that you provide to us:

      We collect Personal Information that you voluntarily provide to us when you use our Services. For example, you may provide us with your contact information such as your email address, first name and last name, phone number, or other Personal Information when you choose to submit such information to us through email, an online form, or other method (such as subscribing to our newsletter). Such information may include (by way of a non-exhaustive list):

      • basic Personal Data about you (such as first name; family name; email address; country);
      • for certain support requests and issues, we may ask you to export and send us diagnostic data of your app. This data includes information necessary to diagnose and resolve issues you might experience with our Services including the titles of your documents, folders, and imported files; 
      • any information that you choose to share through the Services which may be considered Personal Data, including any information you upload containing details about you; and
      • if you make a purchase, your credit card or debit card information (such as card type and expiration date) and other financial data that we need to process your payment may be collected and stored by third party payment processors with which we work. We may also collect some limited information, such as your postal code and details of your transaction history. At no time, however, do we have access to your full payment card information.
    2. Information that we automatically collect or generate about you:

      When you use our Services, we automatically receive and collect information about you and your device. This includes (by way of non-exhaustive list):

      • any information regarding the Services accessed and/or used by you and our interactions with you;
      • a file with your contact history to be used for enquiry purposes so that we may ensure that you are satisfied with the Services which we have provided to you; 
      • usage data when you visit or otherwise use the Services;
      • marketing and communications data collected regarding marketing, promotions and communicating new features; and
      • activity data relating to your usage of the Services, including publication of content and the use of documents available through the Services.
    3. Information we obtain from other sources:

      We sometimes collect Personal Data provided to us by third-parties, service providers, agencies or other publicly available sources where applicable. This includes (by way of non-exhaustive list):

      • social media features which may collect your IP address, which page you are visiting on our site, and may set a Cookie to enable the feature to function properly. Features may also allow third party social media services to provide us with information about you, including your name, email address, and other contact information. The information we receive is dependent upon your privacy settings with the third-party social media service. Features are either hosted by a third party or hosted directly on our site. Your interactions with these features are governed by the privacy statements of the third-party companies providing them. You should always review and, if necessary, adjust your privacy settings on third party websites and services before linking or connecting them to our Services.
    4. Aggregate Information: Aggregate information is information that does not identify you. Aggregate information may be collected when you use our Services, independent of any information you voluntarily enter. Additionally, we may use one or more processes to de-identify information that contains Personal Data, such that only aggregate information remains. We may collect, use, store, and transfer aggregate information without restriction.
  2. 2. What is this data being used for?

    1. In general, we collect Personal Data from you so that we can provide our Services, operate our business, and provide information that you request from us. This includes the following ways and for the following purposes:
      • to allow you to use and access the features and functionality provided by the Services;
      • to set you up to use the Services, including creating and administering your account;
      • to understand feedback on the Services and to help provide more information on the use of those services quickly and easily;
      • to communicate with you in order to provide you with the Services or information about us and the Services;
      • to allow us to tailor the information you see about materials and information that are most relevant to you;
      • for ongoing review and improvement of the information provided on the Services to ensure that it is user friendly and to prevent any potential disruptions or cyber-attacks;
      • to understand your needs and interests;
      • to provide you with technical and other support;
      • for the management and administration of our business or in relation to the sale of our business; 
      • in order to comply with and in order to assess compliance with applicable laws, rules and regulations, subpoenas, legal processes, governmental requests, and internal policies and procedures; 
      • for the administration and maintenance of our databases storing Personal Data; 
      • to detect, prevent, or otherwise address fraud, security or technical issues; or 

      We may additionally use your data when it is necessary to do so (in all cases in accordance with applicable data protection laws), including for the following purposes:

      • we need to do so in order to perform our contractual obligations with our customers and third-party providers;
      • we have obtained your consent;
      • we have legal and regulatory obligations that we have to discharge;
      • we may need to do so in order to establish, exercise or defend our legal rights or for the purpose of legal proceedings; or

      the use of your Personal Data as described is necessary for our legitimate business interests, such as:

      • allowing us to effectively and efficiently manage and administer the operation of our business and the Services;
      • enforce contracts and applicable Terms of Use, including investigation of potential violations thereof;
      • maintaining compliance with internal policies and procedures;
      • monitoring the use of our copyrighted materials;
      • enabling quick and easy access to information on the GoodNotes Learn and the Services; and
      • protect against harm to the rights, property or safety of GoodNotes, our users, customers, or the public as required or permitted by law.
  3. 3. Who is my data disclosed to?

    1. We may disclose your Personal Data to other companies within our group for the purposes set out in "What is this data being used for?" above, as well as to law enforcement and regulatory agencies as may be required by law.
    2. If you use certain features in the Services, such as note sharing or collaboration features, the information contained in the content that you share, which will include any Personal Data contained in such content, will be shared with the individuals that you select. We will not share your information this way unless you direct us to do so through your use of the Services.
    3. We may also disclose and transfer your Personal Data (whether in Hong Kong or abroad) to our agents, contractors or vendors ("Service Providers"). When we do this, we will ensure that they are under a duty of confidentiality to us and we have imposed contractual obligations to ensure they can only use your Personal Data to provide agreed services to us and to you. Such Service Providers may provide administrative, data processing or other similar services to us to enable us to better provide the Services. We may also provide your Personal Data to actual or proposed assignees or transferees of our rights with respect to you in connection with a merger, sale or transfer (whether of assets or shares). In particular, certain of the specific third parties that we disclose data to include:
      • In order to log aggregated statistical, non-Personal Data, we use another service by Google called Google Analytics for Firebase.
      • We use Zendesk by Zendesk Inc. for handling customer support emails.
      • We use Mailchimp for sending newsletters and tips and tricks to subscribers that subscribe voluntarily. 
      • To collect feedback and ideas in our idea forum, we use the service provided by UserVoice. In order to submit feedback to the forum, an account with UserVoice will need to be created.
      • We use Amazon Web Services to power the infrastructure for GoodNotes Cloud.
      • We provide optional functionalities which allow you to sync your files on the app to your iCloud account. 
      • We also use Compose, Inc. to power the infrastructure for GoodNotes Cloud.
      • We use Mixpanel to collect information about the use of GoodNotes Learn to maintain and improve our features.
      • We use Amplitude to collect information on usage of our app to maintain and improve our app and our products and services.
      • We may use Braze to notify you of important events about the Services and provide you with an enhanced user experience when using the Services.
  4. 4. Required disclosures and transfers

    We may also transfer or disclose your Personal Data to third parties under the following circumstances: (i) to comply with a legal requirement, law, subpoena, judicial proceeding, court order, governmental request, or legal process; (ii) to investigate a possible crime, such as fraud or identity theft; (iii) in connection with the sale, purchase, merger, asset sale, financing, reorganisation, liquidation or dissolution of GoodNotes; (iv) when we believe it is necessary to protect the rights, property, or safety of GoodNotes or other persons, or (v) as otherwise required or permitted by law, including any contractual obligations of GoodNotes.
  5. 5. Retention Process

    How long we will hold your Personal Data for will vary and will be determined by the following criteria:

    • the purpose for which we are using it – we will need to keep your Personal Data for as long as is necessary for that purpose; and
    • legal obligations – laws or regulation may set a minimum period that we have to keep your Personal Data.
  6. 6. International transfers of Personal Data

    1. We are a global business. Our customers and our operations are spread around the world. As a result, we collect and transfer Personal Data on a global basis. That means that we may transfer your Personal Data to locations outside of your country.
    2. When we transfer your Personal Data to another country outside the UK and / or EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. In relation to data being transferred outside the UK and / or EEA, for example, this may be done in one of the following ways:
      • the country that we send the data to might be approved by relevant data protection authorities as offering an adequate level of protection for Personal Data; 
      • the recipient might have signed up to a contract based on “model contractual clauses” approved by relevant data protection authorities, obliging them to protect your Personal Data;
      • the recipient may have adhered to binding corporate rules; or
      • In other circumstances the law may permit us to otherwise transfer your Personal Data outside Europe.
    3. You can obtain more details of the protection given to your Personal Data when it is transferred outside the UK and / or EEA (including a copy of the standard data protection clauses which we have entered into with recipients of your Personal Data) by contacting us as referred to in the “More Questions” section below.
  7. 7. Keeping your data secure

    1. We will use reasonable technical and organisational measures designed to safeguard your Personal Data, for example:
      • access to your membership, if you register with us, is controlled by your email or mobile phone number and a password that is unique to you;
      • we encrypt your Personal Data;
      • Any Personal Data that we process or store is done on secure servers.
    2. All processing of your Personal Data shall be conducted according to the data protection principles as follows:
      • Personal Data must be processed lawfully, fairly and transparently;
      • Personal Data must be accurate and kept up to date with every effort to erase or correct;
      • Personal Data must be processed in a manner that ensures the appropriate security.
    3. In addition, we have reasonable security measures in place designed to prevent Personal Data from being accidentally or unlawfully lost, used or accessed. We limit access to your Personal Data to those who have a genuine business need to access it. We take steps designed to ensure that those processing your Personal Data will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to respond to data security breaches. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
    4. However, since the Internet is not a 100% secure environment, we cannot guarantee, ensure, or warrant the security of any information, including Personal Data, you transmit to us. There is no guarantee that information, including Personal Data, may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information.
  8. 8. Information about other individuals

    If you give us information on behalf of someone else, you confirm and represent that you have the consent of such person to do so and such person has appointed you to act on his/her behalf to:
    • give consent on his/her behalf to the processing and transfer of his/her Personal Data; and
    • receive on his/her behalf any notices relating to data protection.
  9. 9. Third Party Websites

    Our Services may contain links to other websites operated by third parties and may include social media features such as Facebook, Twitter, YouTube, and Instagram buttons or links. You may also submit content to our blog through Medium. These third-party websites may collect information about you if you click on a link or visit those websites, and the social media sites may automatically record information about your browsing behaviour every time you visit a website that has a social media button. Your interactions with these features and third parties are governed by the privacy policy of the third party, not by this privacy policy.
  10. 10. Children

    Our Services are not directed at children under 16 and we do not knowingly collect Personal Data from children under 16. If you are the parent of a child under the age of 16, and you believe he or she has shared Personal Data with us, please contact us so we can remove such information from our systems.
  11. 11. Your rights Under the GDPR

    1. This section applies to residents of the European Economic Area and the United Kingdom. Under certain circumstances, you may have rights under data protection laws in relation to your Personal Data which you can exercise free of charge. These rights include:
      • The right to know whether we hold your Personal Data and to request access to your Personal Data held by us.
      • The right to withdraw your consent to the processing of your Personal Data at any time. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason for doing so. For example, we may need to retain Personal Data to comply with a legal obligation.
      • The right to request that we rectify your Personal Data if it is inaccurate or incomplete.
      • The right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data, but we are legally entitled to retain it.
      • In some circumstances, the right to receive the Personal Data you provided to us in a structured, commonly used and machine-readable format and/or to instruct us to transmit that data to a third party.
      • The right to object at any time to your Personal Data being processed for direct marketing and in other certain circumstances, such as if we change our legitimate interests from the basis on which we initially collected and processed your Personal Data.
      • The right to lodge a complaint with the relevant data protection regulator if you think that any of your rights have been infringed by us.
    2. If you wish to exercise any of the above rights, or make any related complaint or request in relation to your Personal Data, please contact us by using the contact details in the “More Questions” section below.
    3. Further information about your rights may be obtained by contacting the supervisory data protection authority located in your jurisdiction.
  12. 12. California Residents

    1. If you are a resident of California, this section applies to you and is intended to provide certain information to you as required by the California Consumer Privacy Act of 2018 (CCPA).
      1. When we use the term “personal data” in this section, we are referring to information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household such as:
        • The categories of personal information we have collected about you;
        • The categories of sources from which the personal information is collected;
        • Our business or commercial purpose for collecting or selling personal information;
        • The categories of third parties with whom we share personal information, if any; and
        • The specific pieces of personal information we have collected about you.
    2. On 1 July 2023 the California Privacy Rights Act CPRA will come into enforcement which introduces a new category of personal data called sensitive personal information which includes any private information that divulges any of the following:
      • Personal identification numbers, including social security, driver's licence, passport, or state ID card numbers;
      • Account or debit or credit card numbers combined with passwords or codes that would enable access to the accounts;
      • A consumer's exact geolocation;
      • A consumer's racial origin, religious beliefs, or union membership;
      • A consumer's mail, email, or text message content unless the information was intentionally sent to the business; or
      • A consumer's genetic data, such as DNA samples.
      1. Currently, GoodNotes does not collect any of this data and we ask that you do not provide us with this data. You accept sole responsibility and GoodNotes will not be liable for any sensitive personal information stored in your notebooks.
    3. Information We May Collect:
      1. In the preceding 12 months, we may collect categories of personal information listed below. For more details about the specific data points we may collect, please see the “What kind of data is being collected” section above.
        • Identifiers (such as email address, first name and last name, mailing address, phone number, date of birth, IP addresses, device identifiers, and account information)
        • Personal information as defined in the California customer records law (such as name, contact information, date of birth, and education)
        • Commercial information (such as products or services you considered, transaction information, purchase history, financial details and payment information)
        • Internet or other electronic network activity (such as your browser type, frequency and time and date of visits to our Site, operating system, the site from which you linked to us, the name of the website you chose to visit immediately after ours, information about other websites you have recently visited, site activity, and information about and from your device, including but not limited to device ID, device language, and operating system) 
        • Geolocation data(such as your approximate location based on IP address)
        • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99). (This includes the name or address of a student or their family members; personal identifiers of the student such as a student number; and any information that indirectly identifies a student.)
        • Audio, electronic, visual, thermal, olfactory, or similar information
        • Professional or employment-related information (such as your employment status and job type)
        • Inferences from the above information (we may draw inferences drawn from any of the information identified above to create profiles of users and those that interact with us)
      2. Our sources for this information are detailed in the “What Kind of Data is Being Collected” section above. Our business purposes for collecting this information is detailed in the “What is this Data Being Used for” section above. Third parties we share this information with are detailed in the “Who is my Data Disclosed to” section above.
    4. Your rights under the CCPA and CPRA
      1. Right to Know: You have the right to request that we disclose certain information to you about our disclosures and sales of your personal information. Such information shall cover the 12-month period preceding our receipt of your request. Upon our receipt of your verified request, we will provide you with the following:
        • The categories of personal information we have collected from you
        • The categories of personal information we have sold about you and the categories of third parties to whom we sold such information, by category or categories of personal information for each category of third parties to whom the personal information was sold (however, we have not sold your personal information); and
        • The categories of personal information that we disclosed about you for a business purpose.
      2. Right to Deletion: You have the right at any time to request that we delete your personal information. However, in some cases we cannot delete all or some of your personal information as required or permitted by applicable laws.
      3. Right to Accuracy: You have the right to rectify any inaccuracies in your data.
      4. Protection Against Discrimination: You have the right to not be discriminated against by us because you exercised any of your rights under the CCPA. This means that we cannot, among other things:
        • Deny goods or services to you;
        • Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
        • Provide a different level or quality of goods or services to you; or
        • Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.
        • Please note that we may charge a different price or rate or provide a different level or quality of services to you, if that difference is reasonably related to the value provided to our business by your personal information.
    5. Please note that we are not required to:
      • Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;
      • Re-identify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or
      • Provide the personal information to you more than twice in a 12-month period.
    6. How to Contact us to Exercise Your CCPA Rights
      1. To submit a request to exercise your “Right to Know” “Right to Accuracy” or “Right to Delete” provided in this notice, please email Nebahat Arslan via or Support Services via We will evaluate the request and take action where required to do so.
      2. We will confirm receipt of your request within 10 business days and will provide information about how we will process your request. We endeavour to respond to your request as soon as we can, within the timeframes permitted under the CCPA. If we are not able to respond to your request within 45 days, we will let you know that we may require additional time (up to 90 total days).
    7. Verification of Requests and Authorised Agents
      1. We may have to verify your identity when you contact us to exercise your rights. Our verification process may vary depending on the nature of your request. However, generally, we will verify your request by asking you to:
        • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorised agent.
        • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
      2. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm that the personal information relates to you.
      3. You may also use an authorised agent to exercise your rights on your behalf. If you wish to use an authorised agent to make a request on your behalf, unless you have provided the authorised agent with power of attorney, we may require that: (1) you provide your authorised agent signed permission to do so; (2) you verify your identity; and (3) you confirm that you have provided the authorised agent permission to submit the request. We may deny any request from an authorised agent that does not submit proof that they have been authorised by you to act on your behalf
      4. Your authorised agent may make a request on your behalf by contacting us at


To the extent that we collect Personal Data with the help of Cookies (which are small text files that include a small quantity of information sent to the browser of users, by a web server, and stored on the hard disk drive of a computer for purposes of archiving, collecting navigation data for statistical analysis purposes, and offering services related to your interests or location), we will process it in accordance with this Privacy Policy.

How uses cookies
    1. A “cookie” is a small text file sent to your computer or mobile device used to collect data regarding your use of the Services. They include a unique identifier that is linked to your account, device or browser. Despite being stored on your device or hard drive, cookies cannot retrieve any of your data stored here.
    2. Company’s features and functionalities require the use of cookies to properly work. Cookies are placed by us and our approved third parties set out below. We will not be held responsible for the placement of Cookies by our third parties.
    3. Our Cookies can be divided into the following categories:
      1. Essential Cookies: These Cookies are required for the basic operation of the Services. These cookies also enable helpful functions that improve your experience on the Services. For example, by recognising you when you return to the Services, personalising content for you, or remembering your preferences. This also enables us to customise elements of the layout and content of the pages of the Services. These include:
        This Cookie ensures the security of our users by protecting from malicious Cross-site scripting (XSS).
        Duration of Cookie
        6 months
        The UserID is linked to the user profile so that we load the correct profile when you access our Services.
        Duration of Cookie
        1 year
        _user token_
        The user token is used for authenticating the user so that we know the user is who they say they are when accessing the Services.
        Duration of Cookie
        1 year
        Cookie consent per browser.
        Duration of Cookie
        6 months
        Kratos Authentication including:
        • ory_kratos_session
        • ory_kratos_continuity
        Saves minimal data so users do not need to log in again.
        Duration of Cookie
        Up to 6 months
      2. Analytical Cookies: These Cookies enable us to collect statistical information about how our users interact with the Services including how long you spend on the Services and which events you encounter, so that we can improve the performance of the Services and learn which parts and functions are most popular with our users. The following analytics technologies are in use:
        Google Analytics Including but not limited to:
        • _gat
        • _gid
        • _ga
        You can also find additional information on Google Analytics cookie usage and how Google uses information from sites or apps that use its services at:
        You can opt out of Google Analytics and customise the Google Display Network ads by visiting the Google Ads Settings page and installing the Google Analytics Opt-out Browser Add-on from each browser on each device.
        Duration of Cookie
        From a few seconds (_gat) to 2 years (_gid)
        Amplitude including:
        • _AMP_
        • amp_
        • AMP_MKTG_
        This provides us with data on the events that occur while a user is interacting with the services.
        Duration of Cookie
        6 months
        Data Dog
        • _dd_s
        This tracks various metrics of the user base as a whole.
        Duration of Cookie
        1 day
  1. How to disable cookies
    1. Some cookies are essential and we cannot provide our Services to you without them, but there are others that can be turned off. Privacy is important to us so we provide the option to disable analytical cookies stored by the aforementioned third parties.
      1. When first accessing our Services you will have the option to disable certain cookies by selecting ‘customise’ on our cookie banner.
    2. Browser settings
      1. Most browsers give users the ability to manage cookies according to personal preferences. In some browsers you can set up rules to manage cookies on a site-by-site basis, meaning you can allow cookies only on sites that you trust.
      2. Browser providers offer help pages relating to cookie management. Click on the links below for more information on cookie management from the most common browser providers:
      3. Although we do our best to honour the privacy preferences of our visitors, we are not able to respond to Do Not Track signals from your browser.
  1. 13. More questions

    1. We commit to resolving complaints about our collection or use of your Personal Data. Individuals with inquiries or complaints should first contact
    2. You also have a right to lodge a complaint with a competent supervisory authority situated in a member state of your habitual residence, place of work, or place of alleged infringement.
    3. You may unsubscribe from our marketing communications at any time by following the “unsubscribe” link at the bottom of any such communication. Most promotional communications will also offer recipients choices about receiving additional messages.
  2. 14. Response Timing and Format

    1. We endeavour to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to the registered email associated with the account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.
    2. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
  3. 15. Changes to this policy

    The Company reserves the right to make changes to this privacy policy at any time. When we do, we will post the updated version on this page, and if required by law, we will also provide notice to users as required. We encourage you to read this page each time that you use our Services so that you will be aware of any changes, and your continued use of our Services shall constitute your acceptance of any such changes. Changes to this privacy policy take effect from the date of publication, unless stated otherwise.